WeOn January 5, 2021 1:43:32 AM GMT+01:00, Allan McRae via pacman-dev <pacman-dev@lists.archlinux.org> wrote:
So... I am super-anti polkit in any form for terminal based programs. I would be happy to use polkit in any graphical frontend, but we don't have one in the pacman code base!
Lets break the problem down a bit:
The areas we need root: a) package installation
The areas we should run as a dedicated user: b) database download c) package download d) gpg verification (for keyring ownership)
Am I missing anything?
The rest can be run as a user.
Currently, both the areas needing run as root and those that could be a dedicated user are well detected, so any operation requiring these at any stage checks for root privileges. Any operation not requiring root privileges at any stage can be run as a user. The problem is when there are combined operations!
A "quick fix" would be to boot operations b-d to separate helper binaries, with the pacman binary offloading as necessary. That removes most of our attack space.
For a more complete pacman fix, note that all root (or dedicated user) needed operations happen first in any transaction - e.g. -Syi does the "y" first, so pacman could just drop root privileges as soon as those are done.
So far so good, but I think it's a bit more complicated